Many features that make Tor a great tool for privacy also make it a tool for hiding the source of malicious traffic. That is why many resort to using CAPTCHA challenges to make it more expensive to be a bot on the Tor network. There is, however, a collateral damage associated with using CAPTCHA challenges to stop bots: humans eyes also have to deal with them. Today’s edition of the Crypto Week introduces an “opportunistic” solution to this problem, so that under suitable conditions, anyone using Tor Browser 8.0 will benefit from improved security and performance when visiting Cloudflare websites without having to face a CAPTCHA. Just as with Opportunistic Encryption, we can point users to the Cloudflare Onion Service using HTTP Alternative Services. For instance, when Tor Browser makes a request to “cloudflare.com,” Cloudflare adds an Alternative Service header to indicate that the site is available to access over HTTP/2 via our onion services. In the same sense that Cloudflare owns the IP addresses that serve our customers’ websites, we run 10 .onion addresses. Think of them as 10 Cloudflare points of presence (or PoPs) within the Tor network. Once the browser receives this header, it attempts to make a new Tor circuit to the onion service advertised in the alt-svc header and confirm that the server listening on virtual port 443 can present a valid certificate for “cloudflare.com” — that is, the original hostname, not the .onion address. The onion service then relays the Client Hello packet to a local server which can serve a certificate for “cloudflare.com.” If the certificate is signed by a trusted certificate authority, for any subsequent requests to “cloudflare.com” the browser will connect using HTTP/2 via the onion service, sidestepping the need for going through an exit node. Remember that Tor circuits to onion services carry a circuit number which we can use to rate-limit the circuit. Now, the question is how to inform a server such as nginx of this number with minimal effort. As it turns out, with only a small tweak in the Tor binary, we can insert a Proxy Protocol header in the beginning of each packet that is forwarded to the server. Luckily for us, the IPv6 space is so vast that we can encode the Tor circuit number as an IP address in an unused range and use the Proxy Protocol to send it to the server. The local Cloudflare server can then transparently use that IP to assign reputation, show CAPTCHAs, or block requests when needed. Similar to Opportunistic Encryption, Opportunistic Onions do not fully protect against attackers who can simply remove the alternative service header. Therefore it is important to use HTTPS Everywhere to secure the first request.
cloudflare blog, 20.09.2018

A previous post discussed a planned Firefox Nightly experiment involving secure DNS via the DNS over HTTPS (DoH) protocol. That experiment is now complete and this post discusses the results. During July, about 25,000 Firefox Nightly 63 users who had previously agreed to be part of NIghtly experiments participated in some aspect of this study. Cloudflare operated the DoH servers that were used according to the privacy policy they have agreed to with Mozilla. The experiment generated over a billion DoH transactions and is now closed.
firefox nighly news, 28.08.2018

Cloudflare launched a privacy-first DNS resolver service on April 1st. The service, which was our first consumer-focused service, supports emerging DNS standards such as DNS over HTTPS:443 and TLS:853 in addition to traditional protocols over UDP:53 and TCP:53, all in one easy to remember address: 1.1.1.1. the exceptionally privacy-conscious folks might not want to reveal their IP address to the resolver at all, and we respect that. This is why we are launching a Tor onion service for our resolver at dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion and accessible via tor.cloudflare-dns.com.
cloudflare, 05.06.2018

Prolific YouTuber Tom Scott visited the home of the lava lamps for this video that explains why a bunch of cheap lava lamps play an integral role for a company that protects around 10 per cent of HTTP and HTTPS requests. The most simple explanation is that a lava lamp is a great way to generate randomness. Coding just isn’t great at generating random numbers because, at its heart, code requires a system to mimic chaos. The best encryption has a truly random key so it’s more difficult for a bad actor to guess how to break the cipher. Cloudflare videotapes its wall of colourful constantly morphing lava lamps and translates that video information into unique cryptographic keys.
gizmodo, 11.17

Internet company Cloudflare and wireless network operator CREDO Mobile sued the federal government to be allowed to disclose public national security letters they have received. They argued that the letters, which are administrative subpoenas issued by the government to gather information for national security purposes, are unconstitutional because they violate the First Amendment's freedom of speech protections. Companies that receive national security letters, or NSLs, are subject to gag orders, which means they can't even disclose they've received such orders unless the letters become declassified. And those gag orders last indefinitely. A three-judge panel on a US court of appeals in San Francisco on Monday upheld a lower court ruling that NSLs can remain secret. In their unanimous ruling, they said the Supreme Court "has concluded that some restrictions on speech are constitutional, provided they survive the appropriate level of scrutiny."
cnet, 17.07.2017

Wednesday, CloudFlare blogged that 94% of the requests it sees from Tor are "malicious." We find that unlikely, and we've asked CloudFlare to provide justification to back up this claim. We suspect this figure is based on a flawed methodology by which CloudFlare labels all traffic from an IP address that has ever sent spam as "malicious." Tor IP addresses are conduits for millions of people who are then blocked from reaching websites under CloudFlare's system. We're interested in hearing CloudFlare's explanation of how they arrived at the 94% figure and why they choose to block so much legitimate Tor traffic. While we wait to hear from CloudFlare, here's what we know.
tor blog, 31.03.2016

Based on data across the CloudFlare network, 94% of requests that we see across the Tor network are per se malicious. That doesn’t mean they are visiting controversial content, but instead that they are automated requests designed to harm our customers. A large percentage of the comment spam, vulnerability scanning, ad click fraud, content scraping, and login scanning comes via the Tor network. To give you some sense, based on data from Project Honey Pot, 18% of global email spam, or approximately 6.5 trillion unwanted messages per year, begin with an automated bot harvesting email addresses via the Tor network. Fundamentally, the challenge we have is telling automated malicious traffic sent via Tor from legitimate human users. To do that, when a visitor is coming from a Tor exit node with a poor reputation, we will often use some sort of CAPTCHA. The long term solution has to be something that allows automated, malicious traffic to be distinguished from non-automated traffic coming through the Tor network. We see two viable ways of doing that, but we need help from the Tor Project to implement either of them. CloudFlare is working to reduce the impact of CAPTCHAs on Tor users without in any way compromising their anonymity and without exposing our customers to additional risk. Over the coming weeks and months we will roll out changes designed to make the lives of legitimate Tor Browser users easier while keeping our customers safe.
cloudflare, 30.03.2016

Titled "Do You See What I See? Differential Treatment of Anonymous Users," the paper said 3.67 percent of websites in the Alexa 1,000 discriminated against computers visiting with known Tor exit-node IP addresses. In some cases, the visitors are completely locked out, while in others users are required to complete burdensome CAPTCHAs or are limited in what they can do. The authors said the singling out was an attempt by the sites to limit fraud and other online crime, which is carried out by a disproportionately high percentage of Tor users. In the process, law-abiding Tor users are being treated as second-class Web citizens. In many cases, the degraded experience is automatically carried out by content delivery networks, which help individual websites to distribute content and block malicious users. One of the best-known CDNs, CloudFlare, assigns a reputational score to visiting IP addresses and if it's too low will require end-users to complete a CAPTCHA designed to prove they're a human rather than a malicious script. Websites that use CloudFlare competitor Akamai, meanwhile, often block Tor users outright with a 403 error that can't be bypassed. "Anonymous communication on the Internet is a critical resource for people whose access to the Internet is restricted by governments," the authors wrote. "However, the utility of anonymity networks is threatened by services on the Internet that block or degrade requests from anonymous users."
ars technica, 24.02.2016